(Feature) Get team audit logs through secure tunnel (#274)

Replace old endpoints with new ones

---------

Signed-off-by: Jose Arroyo <jose.m.arroyo.se@gmail.com>
Co-authored-by: Jose Arroyo Rodriguez <jose.arroyo@dashlane.com>

Author: jomi-se

documentation/pages/business/audit-logs.mdx

@@ -33,13 +33,11 @@ The logs are output in JSON format, each line is a new log entry.
 
 ## Filtering the logs
 
-With the following options you can filter the logs by start and end date, log type and category.
+With the following options you can filter the logs by start and end date.
 
 ```sh
   --start <start>        start timestamp in ms (default: "0")
   --end <end>            end timestamp in ms (default: "now")
-  --type <type>          log type
-  --category <category>  log category
 ```
 
 ### Filtering by date

src/command-handlers/teamLogs.ts

@@ -1,26 +1,17 @@
-import { StartAuditLogsQueryParams, startAuditLogsQuery, getAuditLogQueryResults } from '../endpoints/index.js';
+import { getAuditLogs } from '../endpoints/index.js';
 import { getTeamDeviceCredentials, jsonToCsv, epochTimestampToIso } from '../utils/index.js';
-import { GenericLog } from '../types/logs.js';
 import { logger } from '../logger.js';
 
-export const runTeamLogs = async (options: {
-    start: string;
-    end: string;
-    type: string;
-    category: string;
-    csv: boolean;
-    humanReadable: boolean;
-}) => {
+export const runTeamLogs = async (options: { start: string; end: string; csv: boolean; humanReadable: boolean }) => {
     const teamDeviceCredentials = getTeamDeviceCredentials();
-
-    const { start, end, type, category } = options;
+    const { start, end } = options;
 
     let logs = await getAuditLogs({
         teamDeviceCredentials,
-        startDateRangeUnix: parseInt(start),
-        endDateRangeUnix: parseInt(end),
-        logType: type,
-        category,
+        queryParams: {
+            startDateRangeUnixMs: parseInt(start),
+            endDateRangeUnixMs: parseInt(end),
+        },
     });
 
     if (options.humanReadable) {
@@ -39,38 +30,3 @@ export const runTeamLogs = async (options: {
 
     logs.forEach((log) => logger.content(JSON.stringify(log)));
 };
-
-const MAX_RESULT = 1000;
-
-export const getAuditLogs = async (params: StartAuditLogsQueryParams): Promise<GenericLog[]> => {
-    const { teamDeviceCredentials } = params;
-
-    const { queryExecutionId } = await startAuditLogsQuery(params);
-
-    let result = await getAuditLogQueryResults({ teamDeviceCredentials, queryExecutionId, maxResults: MAX_RESULT });
-    logger.debug(`Query state: ${result.state}`);
-
-    while (['QUEUED', 'RUNNING'].includes(result.state)) {
-        await new Promise((resolve) => setTimeout(resolve, 2000));
-        result = await getAuditLogQueryResults({ teamDeviceCredentials, queryExecutionId, maxResults: MAX_RESULT });
-        logger.debug(`Query state: ${result.state}`);
-    }
-
-    if (result.state !== 'SUCCEEDED') {
-        throw new Error(`Query execution did not succeed: ${result.state}`);
-    }
-
-    let logs = result.results;
-    while (result.nextToken) {
-        result = await getAuditLogQueryResults({
-            teamDeviceCredentials,
-            queryExecutionId,
-            maxResults: MAX_RESULT,
-            nextToken: result.nextToken,
-        });
-        logger.debug(`Query state: ${result.state}`);
-        logs = logs.concat(result.results);
-    }
-
-    return logs.map((log) => JSON.parse(log) as GenericLog);
-};

src/commands/team/index.ts

@@ -49,8 +49,6 @@ export const teamCommands = (params: { program: Command }) => {
             customParseTimestampMilliseconds,
             Date.now()
         )
-        .option('--type <type>', 'log type')
-        .option('--category <category>', 'log category')
         .option('--csv', 'Output in CSV format')
         .option('--human-readable', 'Output dates in human readable format')
         .action(runTeamLogs);

src/endpoints/getAuditLogs.ts

@@ -1,44 +1,17 @@
-import { requestTeamApi } from '../requestApi.js';
+import { apiConnect } from '../modules/tunnel-api-connect/apiconnect.js';
+import { logger } from '../logger.js';
 import { TeamDeviceCredentials } from '../types.js';
+import { GenericLog } from '../types/logs.js';
 
 export interface StartAuditLogsQueryParams {
-    teamDeviceCredentials: TeamDeviceCredentials;
-
     /**
      * The start of the date range to query audit logs by. The format is unix timestamp in seconds. Only the date is used, not the time.
      */
-    startDateRangeUnix: number;
+    startDateRangeUnixMs: number;
     /**
      * The end of the date range of to query audit logs by. The format is unix timestamp in seconds. Only the date is used, not the time.
      */
-    endDateRangeUnix: number;
-    /**
-     * The user ID of the author of the audit log.
-     */
-    authorUserId?: number;
-    /**
-     * The ID of the user targeted by the audit log action.
-     */
-    targetUserId?: number;
-    /**
-     * The ID of the sharing group targeted by the audit log action.
-     */
-    sharingGroupId?: number;
-    /**
-     * The types of audit logs to filter by.
-     */
-    logType?: string;
-    /**
-     * The categories audit logs to filter by.
-     */
-    category?: string;
-    /**
-     * Additional properties to filter by. Refer to the specific audit log schema for property details.
-     */
-    properties?: {
-        propName: string;
-        value: string;
-    }[];
+    endDateRangeUnixMs: number;
 }
 
 export interface StartAuditLogsQueryOutput {
@@ -48,22 +21,13 @@ export interface StartAuditLogsQueryOutput {
     queryExecutionId: string;
 }
 
-export const startAuditLogsQuery = (params: StartAuditLogsQueryParams) => {
-    const { teamDeviceCredentials, ...payload } = params;
-    return requestTeamApi<StartAuditLogsQueryOutput>({
-        path: 'auditlogs-teamdevice/StartAuditLogsQuery',
-        teamUuid: teamDeviceCredentials.uuid,
-        teamDeviceKeys: {
-            accessKey: teamDeviceCredentials.accessKey,
-            secretKey: teamDeviceCredentials.secretKey,
-        },
-        payload,
-    });
-};
+export interface StartAuditLogsQueryRequest {
+    path: 'logs-teamdevice/StartAuditLogsQuery';
+    input: StartAuditLogsQueryParams;
+    output: StartAuditLogsQueryOutput;
+}
 
 export interface GetAuditLogQueryResultsParams {
-    teamDeviceCredentials: TeamDeviceCredentials;
-
     /**
      * The ID associated with the query executed by the RequestAuditLogs endpoint.
      */
@@ -93,15 +57,59 @@ export interface GetAuditLogQueryResultsOutput {
     nextToken?: string;
 }
 
-export const getAuditLogQueryResults = (params: GetAuditLogQueryResultsParams) => {
-    const { teamDeviceCredentials, ...payload } = params;
-    return requestTeamApi<GetAuditLogQueryResultsOutput>({
-        path: 'auditlogs-teamdevice/GetAuditLogQueryResults',
-        teamUuid: teamDeviceCredentials.uuid,
-        teamDeviceKeys: {
-            accessKey: teamDeviceCredentials.accessKey,
-            secretKey: teamDeviceCredentials.secretKey,
+export interface GetAuditLogQueryResultsRequest {
+    path: 'logs-teamdevice/GetAuditLogQueryResults';
+    input: GetAuditLogQueryResultsParams;
+    output: GetAuditLogQueryResultsOutput;
+}
+
+const MAX_RESULT = 1000;
+
+export const getAuditLogs = async (params: {
+    queryParams: StartAuditLogsQueryParams;
+    teamDeviceCredentials: TeamDeviceCredentials;
+}): Promise<GenericLog[]> => {
+    const { teamDeviceCredentials, queryParams } = params;
+
+    const api = await apiConnect({
+        useProductionCertificate: true,
+    });
+
+    const { queryExecutionId } = await api.sendSecureContent<StartAuditLogsQueryRequest>({
+        ...api,
+        path: 'logs-teamdevice/StartAuditLogsQuery',
+        payload: queryParams,
+        authentication: {
+            type: 'teamDevice',
+            teamDeviceKeys: teamDeviceCredentials,
+            teamUuid: teamDeviceCredentials.uuid,
         },
-        payload,
     });
+
+    let result: GetAuditLogQueryResultsOutput | undefined;
+    let logs: string[] = [];
+
+    do {
+        await new Promise((resolve) => setTimeout(resolve, 2000));
+        result = await api.sendSecureContent<GetAuditLogQueryResultsRequest>({
+            ...api,
+            path: 'logs-teamdevice/GetAuditLogQueryResults',
+            payload: { queryExecutionId, maxResults: MAX_RESULT, nextToken: result?.nextToken },
+            authentication: {
+                type: 'teamDevice',
+                teamDeviceKeys: teamDeviceCredentials,
+                teamUuid: teamDeviceCredentials.uuid,
+            },
+        });
+        logger.debug(`Query state: ${result.state}`);
+        if (result.state === 'SUCCEEDED') {
+            logs = logs.concat(result.results);
+        } else if (['QUEUED', 'RUNNING'].includes(result.state)) {
+            await new Promise((resolve) => setTimeout(resolve, 2000));
+        } else {
+            throw new Error(`Query execution did not succeed: ${result.state}`);
+        }
+    } while (result.state !== 'SUCCEEDED' || result.nextToken);
+
+    return logs.map((log) => JSON.parse(log) as GenericLog);
 };

src/modules/auth/confidential-sso/index.ts

@@ -10,11 +10,7 @@ interface ConfidentialSSOParams {
 
 export const doConfidentialSSOVerification = async ({ requestedLogin }: ConfidentialSSOParams) => {
     const api = await apiConnect({
-        isProduction: true,
-        enclavePcrList: [
-            [3, 'dfb6428f132530b8c021bea8cbdba2c87c96308ba7e81c7aff0655ec71228122a9297fd31fe5db7927a7322e396e4c16'],
-            [8, '4dbb92401207e019e132d86677857081d8e4d21f946f3561b264b7389c6982d3a86bcf9560cef4a2327eac5c5c6ab820'],
-        ],
+        useProductionCertificate: true,
     });
     const requestLoginResponse = await api.sendSecureContent<RequestLogin2Request>({
         ...api,

src/modules/tunnel-api-connect/apiconnect.ts

@@ -1,4 +1,5 @@
 import sodium from 'libsodium-wrappers';
+import { EnclavePcr } from '@dashlane/nsm-attestation';
 import { clientHello, terminateHello, SendSecureContentParams, sendSecureContent } from './steps/index.js';
 import { ApiConnectParams, ApiConnect, ApiData, ApiRequestsDefault } from './types.js';
 import { makeClientKeyPair, makeOrRefreshSession } from './utils/index.js';
@@ -15,13 +16,27 @@ const hasFullApiData = (data: Partial<ApiData>): data is ApiData => {
     return false;
 };
 
+const getEnclavePcrList = (): EnclavePcr<string>[] => {
+    if (process.env.DCLI_STAGING_HOST) {
+        return [
+            [3, '90528150e0f0537fa9e96b067137f6494d525f2fcfd15b478ce28ab2cfaf38dd4e24ad73f9d9d6f238a7f39f2d1956b7'],
+        ];
+    }
+
+    return [
+        [3, 'dfb6428f132530b8c021bea8cbdba2c87c96308ba7e81c7aff0655ec71228122a9297fd31fe5db7927a7322e396e4c16'],
+        [8, '4dbb92401207e019e132d86677857081d8e4d21f946f3561b264b7389c6982d3a86bcf9560cef4a2327eac5c5c6ab820'],
+    ];
+};
+
 /** Return an object that can be used to send secure content through the tunnel
  */
 export const apiConnect = async (apiParametersIn: ApiConnectParams): Promise<ApiConnect> => {
     await sodium.ready;
 
     const apiParameters = {
         ...apiParametersIn,
+        enclavePcrList: getEnclavePcrList(),
         ...{ clientKeyPair: apiParametersIn.clientKeyPair ?? makeClientKeyPair() },
     };
 

src/modules/tunnel-api-connect/steps/terminateHello.ts

@@ -17,12 +17,12 @@ export const terminateHello = async (
         throw new SecureTunnelNotInitialized();
     }
 
-    const { clientKeyPair, attestation, isProduction, enclavePcrList } = params;
+    const { clientKeyPair, attestation, useProductionCertificate, enclavePcrList } = params;
     const { tunnelUuid } = apiData.clientHello;
 
     const { userData } = await verifyAttestation({
         attestation,
-        useProductionCertificate: isProduction,
+        useProductionCertificate,
         pcrs: enclavePcrList,
     });
 

src/modules/tunnel-api-connect/steps/types.ts

@@ -1,5 +1,6 @@
 import type sodium from 'libsodium-wrappers';
 import { ApiRequestsDefault } from '../types.js';
+import { EnclavePcr } from '@dashlane/nsm-attestation';
 
 export interface ApiEndpointResponse<T> {
     requestId: string;
@@ -56,6 +57,7 @@ export interface SendSecureContentParams<R extends ApiRequestsDefault> {
 
 export interface TerminateHelloParams {
     attestation: Buffer;
+    enclavePcrList: EnclavePcr<string>[];
 }
 
 export interface TerminateHelloResponse {

src/modules/tunnel-api-connect/types.ts

@@ -1,4 +1,3 @@
-import type { EnclavePcr } from '@dashlane/nsm-attestation';
 import type sodium from 'libsodium-wrappers';
 import type { ClientHelloParsedResponse, SendSecureContentParams, TerminateHelloResponse } from './steps/index.js';
 
@@ -23,9 +22,8 @@ export interface ApiData {
 }
 
 export interface ApiConnectParams {
-    isProduction: boolean;
+    useProductionCertificate: boolean;
     clientKeyPair?: sodium.KeyPair;
-    enclavePcrList: EnclavePcr<string>[];
 }
 
 export interface ApiConnectInternalParams extends ApiConnectParams {